NTsyslog

Windows NT/2000/XP syslog service

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307

Description:

This program runs as a service under Windows NT based operating systems. It formats
all System, Security, and Application events into a single line and
sends them to a syslog(3) host.

The service will be started automatically by the service control manager
during system startup. You can start and stop the service manually from the Services
Control Panel.

By default the service runs under the LocalSystem account. The service can be configured to run as a local user with the following rights:

Log on as a service

Manage auditing and security log

The user the service runs as can be configured in the NTsyslog Properties page which can be accessed through the Services Control Panel.

A GUI tool, NTSyslogCtrl is provided to configure what types of messages are monitored and what priority to use for each type.

The priority for each event log type controls the service and facility that
the syslog message is sent to. Each log type has a seperate priority.
If the priority for a particular key does not exist, as if you were upgrading,
or using an old NTSyslogCtrl app, the default is 9, user.alert.

Usually, syslog refers to a "facility" and "severity". These are
combined in to a single value called "priority".

To calculate the priorities from normal facility and severity codes:

Take the numeric value for the facility, multiply by 8,
and add the numeric value for the severity.

Note that facility 4, 9, 10, and 15 have different meaning on
various systems. Please consult your system manual pages or
syslogd documentation.
Complete details are available in RFC 3164. See:
http://www.ietf.org/rfc/rfc3164.txt

The NTSyslog service must be stopped and restarted for the Registry settings
to take effect. By default all messages are sent using the user.alert priority.

Registry Settings:

The NTSyslogCtrl program is the preferred method of configuring the registry. Editing
the registry manually is not required when using the configuration tool.

The syslog host is configured by creating the following
Registry entry:

The syslog host can be specified by domain name (loghost.example.com) or
by IP address (10.123.112.1).

The types of event log messages sent to the syslog host can be
configured by setting the dword value for each of the types of messages. All
types with a non-zero value will be processed. The included registry file enables all event types for each event log: